In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious program or file. For example, a malware author may create a unique variant of a malicious file for each intended target by repacking, compressing, encrypting, and/or otherwise obfuscating the file before distributing (or redistributing) the same. Unfortunately, because many existing antivirus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by only distributing new (i.e., unique) variants of their malicious files.
In an attempt to combat this problem, at least one security-software vendor has attempted to implement a reputation-based security system. In a reputation-based security system, a security-software vendor may attempt to determine the trustworthiness of a file by collecting, aggregating, and analyzing data from potentially millions of user devices within a community, such as the security-software vendor's user base. For example, by determining a file's origin, age, and prevalence within the community (such as whether the file is predominantly found on at-risk or “unhealthy” machines within the vendor's user base), among other details, a security-software vendor may gain a fairly accurate understanding as to the trustworthiness of the file.
However, in order to avoid producing an unacceptable number of false positives, reputation-based security systems may allow new files (i.e., files that have not been encountered before within the community) to be stored and run on user devices. Thus, by only distributing unique or otherwise obfuscated variants of malicious files, malware authors may circumvent some reputation-based security systems. As such, the instant disclosure identifies a need for systems and methods for effectively detecting unique malware variants.